<!DOCTYPE html>
<!-- saved from url=(0047)https://www.cnblogs.com/r00tuser/p/8268329.html -->
<html lang="zh-cn"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="referrer" content="origin">
    <meta property="og:description" content="0x00 前言 早上浏览sec-news，发现锦行信息安全发布了一篇文章《【漏洞分析】 织梦前台任意用户密码修改》，看完之后就想着自己复现一下。 该漏洞的精髓是php的弱类型比较，&amp;#39;0.0&amp;#">
    <meta http-equiv="Cache-Control" content="no-transform">
    <meta http-equiv="Cache-Control" content="no-siteapp">
    <title>【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园</title>
    
    <link rel="stylesheet" href="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/blog-common.min.css">
    <link id="MainCss" rel="stylesheet" href="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/bundle-simplememory.min.css">
    
    <link id="mobile-style" media="only screen and (max-width: 767px)" type="text/css" rel="stylesheet" href="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/bundle-SimpleMemory-mobile.min.css">
    
    <link type="application/rss+xml" rel="alternate" href="https://www.cnblogs.com/r00tuser/rss">
    <link type="application/rsd+xml" rel="EditURI" href="https://www.cnblogs.com/r00tuser/rsd.xml">
    <link type="application/wlwmanifest+xml" rel="wlwmanifest" href="https://www.cnblogs.com/r00tuser/wlwmanifest.xml">
    <script src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/pubads_impl_rendering_2019091901.js.下载"></script><script async="" src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/analytics.js.下载"></script><script src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/jquery-2.2.0.min.js.下载"></script><style>html, * {-webkit-user-select:text!important; -moz-user-select:text!important;}</style>
    <script src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/blog-common.min.js.下载"></script>
    <script>
        var currentBlogId = 369076;
        var currentBlogApp = 'r00tuser';
        var cb_enable_mathjax = false;
        var isLogined = true;
    </script>
    
    
    
<link rel="preload" href="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/f.txt" as="script"><script type="text/javascript" src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/f.txt"></script><script src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/pubads_impl_2019091901.js.下载" async=""></script><link rel="prefetch" href="https://tpc.googlesyndication.com/safeframe/1-0-35/html/container.html"></head>
<body>
    <a name="top"></a>
    
    
<!--done-->
<div id="home">
<div id="header">
	<div id="blogTitle">
        <a id="lnkBlogLogo" href="https://www.cnblogs.com/r00tuser/"><img id="blogLogo" src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/logo.gif" alt="返回主页"></a>		
		
<!--done-->
<h1><a id="Header1_HeaderTitle" class="headermaintitle HeaderMainTitle" href="https://www.cnblogs.com/r00tuser/">水泡泡</a>
</h1>
<h2>

</h2>




		
	</div><!--end: blogTitle 博客的标题和副标题 -->
	<div id="navigator">
		
<ul id="navList">
<li><a id="blog_nav_sitehome" class="menu" href="https://www.cnblogs.com/">
博客园</a>
</li>
<li>
<a id="blog_nav_myhome" class="menu" href="https://www.cnblogs.com/r00tuser/">
首页</a>
</li>
<li>

<a id="blog_nav_newpost" class="menu" href="https://i.cnblogs.com/EditPosts.aspx?opt=1">
新随笔</a>
</li>
<li>
<a id="blog_nav_contact" class="menu" href="https://msg.cnblogs.com/send/%E6%B0%B4%E6%B3%A1%E6%B3%A1">
联系</a></li>
<li>
<a id="blog_nav_rss" class="menu" href="https://www.cnblogs.com/r00tuser/rss/">
订阅</a>
<!--<partial name="./Shared/_XmlLink.cshtml" model="Model" /></li>--></li>
<li>
<a id="blog_nav_admin" class="menu" href="https://i.cnblogs.com/">
管理</a>
</li>
</ul>


		<div class="blogStats">
			
			<span id="stats_post_count">随笔 - 
53&nbsp; </span>
<span id="stats_article_count">文章 - 
8&nbsp; </span>
<span id="stats-comment_count">评论 - 
16</span>

			
		</div><!--end: blogStats -->
	</div><!--end: navigator 博客导航栏 -->
</div><!--end: header 头部 -->

<div id="main">
	<div id="mainContent">
	<div class="forFlow">
		<div id="post_detail">
    <!--done-->
    <div id="topics">
        <div class="post">
            <h1 class="postTitle">
                
<a id="cb_post_title_url" class="postTitle2" href="https://www.cnblogs.com/r00tuser/p/8268329.html">【漏洞分析】dedecms有前提前台任意用户密码修改</a>

            </h1>
            <div class="clear"></div>
            <div class="postBody">
                
<div id="cnblogs_post_body" class="blogpost-body ">
    <p><span style="font-size: 16px;"><strong>&nbsp;0x00 前言</strong></span></p>
<p>早上浏览sec-news，发现<strong>锦行信息安全</strong>发布了一篇文章《【漏洞分析】 织梦前台任意用户密码修改》，看完之后就想着自己复现一下。</p>
<p>该漏洞的精髓是php的弱类型比较，'0.0' == '0'，也有一定的限制，只对没有设置安全问题的用户有效（默认是没有设置的）。</p>
<p>&nbsp;</p>
<p><span style="font-size: 16px;"><strong>0x01 漏洞版本</strong></span></p>
<p>我复现的是<strong>DedeCMS V5.7 SP2正式版</strong>，2018-01-09发布的，其他的没测。应该算是最新版本的一个0day了。</p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111134203707-1689482634.png" alt=""></p>
<p>&nbsp;</p>
<p><span style="font-size: 16px;"><strong>0x02 漏洞影响</strong></span></p>
<p>该漏洞允许攻击者修改任意前台用户密码。</p>
<p>&nbsp;</p>
<p><span style="font-size: 16px;"><strong>0x03 漏洞利用条件</strong></span></p>
<p>1，开启会员模块</p>
<p>2，攻击者拥有一个正常的会员账号</p>
<p>3，目标没有设置安全问题</p>
<p>&nbsp;</p>
<p><span style="font-size: 16px;"><strong>0x04 漏洞分析</strong></span></p>
<p>问题出现在/member/resetpasswordd.php&nbsp; 文件中。dedecms 用的是全局变量解析</p>
<p>一步步看：</p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111135706801-1099718345.png" alt=""></p>
<p>&nbsp;</p>
<p>这里先接受了一个id变量，用来查询用户。</p>
<p>接下来看到</p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111135719082-1424332381.png" alt=""></p>
<p>&nbsp;</p>
<p>这里是整个漏洞的核心所在，从数据库中获取safequestion，然后与传过来的数据进行判等。用的是双等号，又因为用户没有设置安全问题，数据库里面默认存的是0。</p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111135811160-1036662100.png" alt=""></p>
<p>通过php弱类型的转换'0.0' == '0'了。（内部运算：先是把0.0（浮点数（0.0）转换为int(0)，然后字符串('0')转换为int(0)，最后 0==0 ，所以相等了。）</p>
<p>直接传0是不行的，因为前面有一个empty的判断，当然你也可以利用十六进制比如:0x0</p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111141409488-1370217633.png" alt=""></p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111141344379-1903601183.png" alt=""></p>
<p>&nbsp;其内不转换和上面的是一样的。</p>
<p>接下来跟进sn函数（记住这里我们的send默认为N）</p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111141524660-1556092961.png" alt=""></p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111141617926-76091818.png" alt=""></p>
<p>继续跟进newmail函数</p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111141721363-1793499214.png" alt=""></p>
<p>可以看到当send为N时，直接在前端页面返回了验证码。（而我们这里刚好默认就是N，见前文）<br>又因为用户id是我们可以控制的，safequestion(默认情况)下可以绕过。</p>
<p>那么也就达成了修改前台任意用户密码的效果。</p>
<p>&nbsp;</p>
<p><span style="font-size: 16px;"><strong>0x05 漏洞复现</strong></span></p>
<p>因为这里的模块属于会员模块，包含了member.login.class.php。需要登录才能操作。</p>
<p>那么我先注册一个用户，担任攻击者，再注册另外一个用户担任目标。</p>
<p>请求url应该是这样的:</p>
<div class="cnblogs_Highlighter sh-gutter">
<div><div id="highlighter_381673" class="syntaxhighlighter  html"><div class="toolbar"><span><a href="https://www.cnblogs.com/r00tuser/p/8268329.html#" class="toolbar_item command_help help">?</a></span></div><table border="0" cellpadding="0" cellspacing="0"><tbody><tr><td class="gutter"><div class="line number1 index0 alt2">1</div></td><td class="code"><div class="container"><div class="line number1 index0 alt2"><code class="html plain">http://127.0.0.1/dedecms/member/resetpassword.php?dopost=safequestion&amp;safequestion=0.0&amp;id={userid}</code></div></div></td></tr></tbody></table></div></div>
</div>
<p>test为攻击者，用户id为2，密码:test。test1为目标，用户id为3,修改密码为:hacker</p>
<p>下面就演示一下用test修改test1用户的过程。</p>
<p>Step1: 登陆test用户</p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111142603863-557111774.png" alt=""></p>
<p>&nbsp;</p>
<p>Step2：发送请求url</p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111142724863-1259620564.png" alt=""></p>
<p>&nbsp;</p>
<p>Step3：请求修改页URL：</p>
<div class="cnblogs_Highlighter sh-gutter">
<div><div id="highlighter_375724" class="syntaxhighlighter  html"><div class="toolbar"><span><a href="https://www.cnblogs.com/r00tuser/p/8268329.html#" class="toolbar_item command_help help">?</a></span></div><table border="0" cellpadding="0" cellspacing="0"><tbody><tr><td class="gutter"><div class="line number1 index0 alt2">1</div></td><td class="code"><div class="container"><div class="line number1 index0 alt2"><code class="html plain">http://127.0.0.1/dedecms/member/resetpassword.php?dopost=getpasswd&amp;id=3&amp;key=Dj7PeiRm</code></div></div></td></tr></tbody></table></div></div>
</div>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111142901535-1830138767.png" alt=""></p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<p>Step4：修改用户test1的密码为hacker</p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111143000832-534206246.png" alt=""></p>
<p>Step5: 用修改之后的密码登陆进行验证</p>
<p><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/1205477-20180111143126644-1159884796.png" alt=""></p>
<p>验证成功。</p>
<p>&nbsp;</p>
<p><span style="font-size: 16px;"><strong>0x06&nbsp; 思考与总结</strong></span></p>
<p>虽然说整个漏洞的关键是那一处弱类型比较，也是php的特性与及开发人员对于特性的掌握不够全面所致。漏洞危害其实不太，dede多用于内容，没有什么用户交互而言。如果需要提供用户交流平台，大多数应该会用discuz。</p>
<p>但我觉得对于用户的权限划分不明才是这个漏洞的根本，可以归根为越权。用户id竟然可以直接由用户控制传输，倘若通过session，那么就算用户安全问题没有设置，可以用弱类型比较，最后也仅限于修改自己的密码。</p>
<p>php的弱类型一直是一个问题，特别是早期没有那么重视安全的时候。多少问题都是出在那里。</p>
</div>
<div id="MySignature"></div>
<div class="clear"></div>
<div id="blog_post_info_block"><div id="BlogPostCategory">
    分类: 
            <a href="https://www.cnblogs.com/r00tuser/category/1122565.html" target="_blank">php代码审计</a>,             <a href="https://www.cnblogs.com/r00tuser/category/1040832.html" target="_blank">web安全</a></div>
<div id="EntryTag">
    标签: 
            <a href="https://www.cnblogs.com/r00tuser/tag/dedecms/">dedecms</a>,             <a href="https://www.cnblogs.com/r00tuser/tag/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/">代码审计</a></div>

    <div id="blog_post_info">
<div id="green_channel">
        <a href="javascript:void(0);" id="green_channel_digg" onclick="DiggIt(8268329,cb_blogId,1);green_channel_success(this,&#39;谢谢推荐！&#39;);">好文要顶</a>
        <a id="green_channel_follow" onclick="follow(&#39;5c849e77-b3a2-47d1-391e-08d49c352df3&#39;);" href="javascript:void(0);">关注我</a>
    <a id="green_channel_favorite" onclick="AddToWz(cb_entryId);return false;" href="javascript:void(0);">收藏该文</a>
    <a id="green_channel_weibo" href="javascript:void(0);" title="分享至新浪微博" onclick="ShareToTsina()"><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/icon_weibo_24.png" alt=""></a>
    <a id="green_channel_wechat" href="javascript:void(0);" title="分享至微信" onclick="shareOnWechat()"><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/wechat.png" alt=""></a>
</div>
<div id="author_profile">
    <div id="author_profile_info" class="author_profile_info">
            <a href="https://home.cnblogs.com/u/r00tuser/" target="_blank"><img src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/20170723212305.png" class="author_avatar" alt=""></a>
        <div id="author_profile_detail" class="author_profile_info">
            <a href="https://home.cnblogs.com/u/r00tuser/">水泡泡</a><br>
            <a href="https://home.cnblogs.com/u/r00tuser/followees/">关注 - 7</a><br>
            <a href="https://home.cnblogs.com/u/r00tuser/followers/">粉丝 - 34</a>
        </div>
    </div>
    <div class="clear"></div>
    <div id="author_profile_honor"></div>
    <div id="author_profile_follow">
                <a href="javascript:void(0);" onclick="follow(&#39;5c849e77-b3a2-47d1-391e-08d49c352df3&#39;);return false;">+加关注</a>
    </div>
</div>
<div id="div_digg">
    <div class="diggit" onclick="votePost(8268329,&#39;Digg&#39;)">
        <span class="diggnum" id="digg_count">0</span>
    </div>
    <div class="buryit" onclick="votePost(8268329,&#39;Bury&#39;)">
        <span class="burynum" id="bury_count">0</span>
    </div>
    <div class="clear"></div>
    <div class="diggword" id="digg_tips">
    </div>
</div>

<script type="text/javascript">
    currentDiggType = 0;
</script></div>
    <div class="clear"></div>
    <div id="post_next_prev">

    <a href="https://www.cnblogs.com/r00tuser/p/8080495.html" class="p_n_p_prefix">« </a> 上一篇：    <a href="https://www.cnblogs.com/r00tuser/p/8080495.html" title="发布于 2017-12-21 14:39">关于t00ls的挂机脚本</a>
    <br>
    <a href="https://www.cnblogs.com/r00tuser/p/8417806.html" class="p_n_p_prefix">» </a> 下一篇：    <a href="https://www.cnblogs.com/r00tuser/p/8417806.html" title="发布于 2018-02-05 15:29">[代码审计]某开源商城前台getshell</a>

</div>
</div>
            </div>
            <div class="postDesc">posted @ 
<span id="post-date">2018-01-11 14:42</span>&nbsp;<a href="https://www.cnblogs.com/r00tuser/">水泡泡</a> 阅读(<span id="post_view_count">858</span>) 评论(<span id="post_comment_count">0</span>) <a href="https://i.cnblogs.com/EditPosts.aspx?postid=8268329" rel="nofollow"> 编辑</a> <a href="javascript:void(0)" onclick="AddToWz(8268329); return false;">收藏</a>
</div>
        </div>
	    
	    
    </div><!--end: topics 文章、评论容器-->
</div>
<script src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/highlight.min.js.下载"></script>
<script>markdown_highlight();</script>
<script>
    var allowComments = true, cb_blogId = 369076, cb_blogApp = 'r00tuser', cb_blogUserGuid = '5c849e77-b3a2-47d1-391e-08d49c352df3';
    var cb_entryId = 8268329, cb_entryCreatedDate = '2018-01-11 14:42', cb_postType = 1; 
    loadViewCount(cb_entryId);
</script><a name="!comments"></a>
<div id="blog-comments-placeholder"></div>
<script>
    var commentManager = new blogCommentManager();
    commentManager.renderComments(0);
</script>

<div id="comment_form" class="commentform">
    <a name="commentform"></a>
    <div id="divCommentShow"></div>
    <div id="comment_nav"><span id="span_refresh_tips"></span><a href="javascript:void(0);" onclick="return RefreshCommentList();" id="lnk_RefreshComments" runat="server" clientidmode="Static">刷新评论</a><a href="https://www.cnblogs.com/r00tuser/p/8268329.html#" onclick="return RefreshPage();">刷新页面</a><a href="https://www.cnblogs.com/r00tuser/p/8268329.html#top">返回顶部</a></div>
    <div id="comment_form_container">
<script type="text/javascript" src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/mention.js.下载"></script>
<div id="commentform_title">发表评论</div>
<span id="tip_comment" style="color:Red"></span>
<p>
    昵称：<input type="text" id="tbCommentAuthor" class="author" disabled="disabled" size="50" value="稻不香">
</p>
<div class="commentbox_main">
    <div class="commentbox_title">
        <div class="commentbox_title_left">评论内容：</div>
        <div class="commentbox_title_right">
            <img id="ubb_quote" class="comment_icon" src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/quote.gif" alt="引用" title="添加引用" onclick="insertUBB(&#39;tbCommentBody&#39;,&#39;quote&#39;)">
            <img id="ubb_bold" class="comment_icon" src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/b.png" alt="粗体" title="添加粗体" onclick="insertUBB(&#39;tbCommentBody&#39;,&#39;b&#39;)">
            <img id="ubb_url" class="comment_icon" src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/lk.png" alt="链接" title="添加链接" onclick="insertUbbUrl(&#39;tbCommentBody&#39;)">
            <img id="ubb_indent" class="comment_icon" src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/indent.png" alt="缩进" title="添加首行缩进" onclick="insertIndent(&#39;tbCommentBody&#39;)">
            <img id="ubb_code" class="comment_icon" src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/InsertCode.gif" alt="代码" title="添加代码" onclick="insertUbbCode()">
            <img id="ubb_img" class="comment_icon" src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/img.gif" alt="图片" title="上传图片" onclick="OpenImageUploadWindow();">
        </div>
    </div>
    <textarea id="tbCommentBody" class="comment_textarea"></textarea>
</div>
<p id="commentbox_opt">
    <input id="btn_comment_submit" type="button" class="comment_btn" value="提交评论">
    <span id="span_comment_canceledit" style="display:none"><a href="javascript:void(0);" onclick="return CancelCommentEdit()">不改了</a></span>
    <a href="javascript:void(0);" onclick="return logout();">退出</a>
            <a id="commentbox_opt_sub" href="javascript:void(0);" title="订阅后有新评论时会邮件通知您" onclick="commentManager.Subscribe()">订阅评论</a>
</p>
<div id="tip_comment2" style="color:Red"></div>
<p>
    [Ctrl+Enter快捷键提交]
</p>
<div style="display:none">
    <span id="comment_edit_id"></span><span id="span_parentcomment_id"></span>
    <span id="span_parent_id"></span>
    <span id="span_comment_replyto"></span>
    <span id="span_comment_posted"></span>
</div>
</div>
    <div class="ad_text_commentbox" id="ad_text_under_commentbox"></div>
    <div id="ad_t2"><a href="http://www.ucancode.com/index.htm" target="_blank" onclick="ga(&#39;send&#39;, &#39;event&#39;, &#39;Link&#39;, &#39;click&#39;, &#39;T2-工控&#39;)">【推荐】超50万行VC++源码: 大型组态工控、电力仿真CAD与GIS源码库</a><br><a href="https://www.jdcloud.com/cn/activity/newUser?utm_source=DMT_cnblogs&amp;utm_medium=CH&amp;utm_campaign=09vm&amp;utm_term=Virtual-Machines" target="_blank" onclick="ga(&#39;send&#39;, &#39;event&#39;, &#39;Link&#39;, &#39;click&#39;, &#39;T2-京东云&#39;)">【活动】京东云限时优惠1.5折购云主机，最高返价值1000元礼品！</a><br><a href="https://cloud.tencent.com/act/pro/overseas?fromSource=gwzcw.2802159.2802159.2802159&amp;utm_medium=cpc&amp;utm_id=gwzcw.2802159.2802159.2802159" target="_blank" onclick="ga(&#39;send&#39;, &#39;event&#39;, &#39;Link&#39;, &#39;click&#39;, &#39;T2-腾讯云&#39;)">【推荐】腾讯云海外云服务器1核2G19.8元/月</a><br><a href="https://www.ctyun.cn/activity/#/20190919?hmsr=%E5%8D%9A%E5%AE%A2%E5%9B%AD-0916-919%E6%B4%BB%E5%8A%A8&amp;hmpl=&amp;hmcu=&amp;hmkw=&amp;hmci=" target="_blank" onclick="ga(&#39;send&#39;, &#39;event&#39;, &#39;Link&#39;, &#39;click&#39;, &#39;T2-天翼云&#39;)">【推荐】919 天翼云钜惠，全网低价，云主机9元轻松购</a><br><a href="http://clickc.admaster.com.cn/c/a131575,b3595121,c1705,i0,m101,8a1,8b3,h" target="_blank" onclick="ga(&#39;send&#39;, &#39;event&#39;, &#39;Link&#39;, &#39;click&#39;, &#39;T2-华为文字&#39;)">【推荐】华为云文字识别资源包重磅上市，1元万次限时抢购</a><br><a href="https://www.cnblogs.com/cmt/p/11505603.html" target="_blank" onclick="ga(&#39;send&#39;, &#39;event&#39;, &#39;Link&#39;, &#39;click&#39;, &#39;T2-华为云代金券&#39;)">【福利】git pull &amp;&amp; cherry-pick 博客园&amp;华为云百万代金券</a><br></div>
    <div id="opt_under_post"></div>
    <script async="async" src="./【漏洞分析】dedecms有前提前台任意用户密码修改 - 水泡泡 - 博客园_files/gpt.js.下载"></script>
    <script>
        var googletag = googletag || {};
        googletag.cmd = googletag.cmd || [];
    </script>
    <script>
        googletag.cmd.push(function () {
            googletag.defineSlot("/1090369/C1", [300, 250], "div-gpt-ad-1546353474406-0").addService(googletag.pubads());
            googletag.defineSlot("/1090369/C2", [468, 60], "div-gpt-ad-1539008685004-0").addService(googletag.pubads());
            googletag.pubads().enableSingleRequest();
            googletag.enableServices();
        });
    </script>
    <div id="cnblogs_c1" class="c_ad_block" style="">
        <div id="div-gpt-ad-1546353474406-0" style="height: 250px; width: 300px;"><div id="google_ads_iframe_/1090369/C1_0__container__" style="border: 0pt none; width: 300px; height: 250px;"></div></div>
    </div>
    <div id="under_post_news"><div class="recomm-block"><b>相关博文：</b><br>·  <a title="代码审计-DedeCMS-V5.7前台任意用户密码重置" href="https://www.cnblogs.com/-qing-/p/10849028.html" target="_blank" onclick="clickRecomItmem(10849028)">代码审计-DedeCMS-V5.7前台任意用户密码重置</a><br>·  <a title="【代码审计】CLTPHP_v5.5.3前台任意文件上传漏洞分析" href="https://www.cnblogs.com/xiaozi/p/10053159.html" target="_blank" onclick="clickRecomItmem(10053159)">【代码审计】CLTPHP_v5.5.3前台任意文件上传漏洞分析</a><br>·  <a title="【代码审计】EasySNS_V1.6前台任意文件下载漏洞分析" href="https://www.cnblogs.com/xiaozi/p/10053194.html" target="_blank" onclick="clickRecomItmem(10053194)">【代码审计】EasySNS_V1.6前台任意文件下载漏洞分析</a><br>·  <a title="【漏洞分析】dedecms有前提前台任意用户密码修改" href="https://www.cnblogs.com/r00tuser/p/8268329.html" target="_blank" onclick="clickRecomItmem(8268329)">【漏洞分析】dedecms有前提前台任意用户密码修改</a><br>·  <a title="微信任意用户密码修改漏洞分析" href="https://www.cnblogs.com/pondbay/archive/2013/04/21/3486460.html" target="_blank" onclick="clickRecomItmem(3486460)">微信任意用户密码修改漏洞分析</a><br></div></div>
    <div id="cnblogs_c2" class="c_ad_block" style="">
        <div id="div-gpt-ad-1539008685004-0" style="height: 60px; width: 468px;">
            <script>
                if (new Date() >= new Date(2018, 9, 13)) {
                    googletag.cmd.push(function () { googletag.display("div-gpt-ad-1539008685004-0"); });
                }
            </script>
        <div id="google_ads_iframe_/1090369/C2_0__container__" style="border: 0pt none; width: 468px; height: 60px;"></div></div>
    </div>
    <div id="under_post_kb">
<div class="itnews c_ad_block">
    <b>最新 IT 新闻</b>:
    <br>
 ·              <a href="https://news.cnblogs.com/n/641576/" target="_blank">逼死深海恐惧症的纪录片，南极深处究竟有什么巨型怪物</a>
            <br>
 ·              <a href="https://news.cnblogs.com/n/641575/" target="_blank">中国程序员每年的高光时刻，就在九月的杭州</a>
            <br>
 ·              <a href="https://news.cnblogs.com/n/641574/" target="_blank">华为：公司不搭载美国元器件的5G基站下月量产</a>
            <br>
 ·              <a href="https://news.cnblogs.com/n/641573/" target="_blank">百度高级副总裁沈抖加入爱奇艺公司董事会</a>
            <br>
 ·              <a href="https://news.cnblogs.com/n/641572/" target="_blank">飞天、神龙重塑阿里：中国最大AI公司展示计算实力</a>
            <br>
    » <a href="https://news.cnblogs.com/" title="IT 新闻" target="_blank">更多新闻...</a>
</div></div>
    <div id="HistoryToday" class="c_ad_block"></div>
    <script type="text/javascript">
        fixPostBody();
        setTimeout(function () { incrementViewCount(cb_entryId); }, 50);
        deliverAdT2();
        deliverAdC1();
        deliverAdC2();
        loadNewsAndKb();
        loadBlogSignature();
LoadPostCategoriesTags(cb_blogId, cb_entryId);        LoadPostInfoBlock(cb_blogId, cb_entryId, cb_blogApp, cb_blogUserGuid);
        GetPrevNextPost(cb_entryId, cb_blogId, cb_entryCreatedDate, cb_postType);
        loadOptUnderPost();
        GetHistoryToday(cb_blogId, cb_blogApp, cb_entryCreatedDate);
    </script>
</div>
	</div><!--end: forFlow -->
	</div><!--end: mainContent 主体内容容器-->

	<div id="sideBar">
		<div id="sideBarMain">
			
<div id="sidebar_news" class="newsItem"><!--done-->
<h3 class="catListTitle">公告</h3>

<div id="blog-news">
    
    <div id="profile_block">
        昵称：
        <a href="https://home.cnblogs.com/u/r00tuser/">
            水泡泡
        </a>
        <br>
        园龄：
        <a href="https://home.cnblogs.com/u/r00tuser/" title="入园时间：2017-07-23">
            2年2个月
        </a>
        <br>
        粉丝：
        <a href="https://home.cnblogs.com/u/r00tuser/followers/">
            34
        </a>
        <br>
        关注：
        <a href="https://home.cnblogs.com/u/r00tuser/followees/">
            7
        </a>
        <div id="p_b_follow">
<a href="javascript:void(0)" onclick="follow(&#39;5c849e77-b3a2-47d1-391e-08d49c352df3&#39;)">+加关注</a></div>
        <script>getFollowStatus('5c849e77-b3a2-47d1-391e-08d49c352df3');</script>
    </div>
</div>

</div>

			<div id="blog-calendar" style="">

<table id="blogCalendar" class="Cal" cellspacing="0" cellpadding="0" title="Calendar" border="0">
    <tbody>
        <tr>
            <td colspan="7">
                <table class="CalTitle" cellspacing="0" border="0">
                    <tbody>
                        <tr>
                            <td class="CalNextPrev">
                                <a href="javascript:void(0);" onclick="loadBlogCalendar(&#39;2019/08/28&#39;); return false;">&lt;</a>
                            </td>
                            <td align="center">2019年9月</td>
                            <td align="right" class="CalNextPrev">
                                <a href="javascript:void(0);" onclick="loadBlogCalendar(&#39;2019/10/28&#39;); return false;">&gt;</a>
                            </td>
                        </tr>
                    </tbody>
                </table>
            </td>
        </tr>
        <tr>
                    <th class="CalDayHeader" align="center" abbr="日" scope="col">日</th>
                    <th class="CalDayHeader" align="center" abbr="一" scope="col">一</th>
                    <th class="CalDayHeader" align="center" abbr="二" scope="col">二</th>
                    <th class="CalDayHeader" align="center" abbr="三" scope="col">三</th>
                    <th class="CalDayHeader" align="center" abbr="四" scope="col">四</th>
                    <th class="CalDayHeader" align="center" abbr="五" scope="col">五</th>
                    <th class="CalDayHeader" align="center" abbr="六" scope="col">六</th>
        </tr>
            <tr>
                        <td class="CalWeekendDay" align="center">
                            1
                        </td>
                        <td class="" align="center">
                            2
                        </td>
                        <td class="" align="center">
                            3
                        </td>
                        <td class="" align="center">
                            4
                        </td>
                        <td class="" align="center">
                            5
                        </td>
                        <td class="" align="center">
                            6
                        </td>
                    <td class="CalWeekendDay" align="center">
                        7
                    </td>
            </tr>
                <tr>
                        <td class="CalWeekendDay" align="center">
                            8
                        </td>
                            <td class="" align="center">
                                9
                            </td>
                            <td class="" align="center">
                                10
                            </td>
                            <td class="" align="center">
                                11
                            </td>
                            <td class="" align="center">
                                12
                            </td>
                            <td class="" align="center">
                                13
                            </td>
                        <td class="CalWeekendDay" align="center">
                            14
                        </td>
                </tr>
                <tr>
                        <td class="CalWeekendDay" align="center">
                            15
                        </td>
                            <td class="" align="center">
                                16
                            </td>
                            <td class="" align="center">
                                17
                            </td>
                            <td class="" align="center">
                                18
                            </td>
                            <td class="" align="center">
                                19
                            </td>
                            <td class="" align="center">
                                20
                            </td>
                        <td class="CalWeekendDay" align="center">
                            21
                        </td>
                </tr>
                <tr>
                        <td class="CalWeekendDay" align="center">
                            22
                        </td>
                            <td class="" align="center">
                                23
                            </td>
                            <td class="" align="center">
                                24
                            </td>
                            <td class="" align="center">
                                25
                            </td>
                            <td class="" align="center">
                                26
                            </td>
                            <td class="" align="center">
                                27
                            </td>
                        <td class="CalTodayDay" align="center">
                            28
                        </td>
                </tr>
                <tr>
                        <td class="CalWeekendDay" align="center">
                            29
                        </td>
                            <td class="" align="center">
                                30
                            </td>
                            <td class="CalOtherMonthDay" align="center">
                                1
                            </td>
                            <td class="CalOtherMonthDay" align="center">
                                2
                            </td>
                            <td class="CalOtherMonthDay" align="center">
                                3
                            </td>
                            <td class="CalOtherMonthDay" align="center">
                                4
                            </td>
                        <td class="CalOtherMonthDay" align="center">
                            5
                        </td>
                </tr>
                <tr>
                        <td class="CalOtherMonthDay" align="center">
                            6
                        </td>
                            <td class="CalOtherMonthDay" align="center">
                                7
                            </td>
                            <td class="CalOtherMonthDay" align="center">
                                8
                            </td>
                            <td class="CalOtherMonthDay" align="center">
                                9
                            </td>
                            <td class="CalOtherMonthDay" align="center">
                                10
                            </td>
                            <td class="CalOtherMonthDay" align="center">
                                11
                            </td>
                        <td class="CalOtherMonthDay" align="center">
                            12
                        </td>
                </tr>
    </tbody>
</table></div><script>loadBlogDefaultCalendar();</script>
			
			<div id="leftcontentcontainer">
				<div id="blog-sidecolumn">

<!-- 搜索 -->
<div id="sidebar_search" class="sidebar-block">
    <div id="sidebar_search" class="mySearch">
        <h3 class="catListTitle">搜索</h3>
        <div id="sidebar_search_box">
            <div id="widget_my_zzk" class="div_my_zzk">
                <input type="text" id="q" onkeydown="return zzk_go_enter(event);" class="input_my_zzk">&nbsp;<input onclick="zzk_go()" type="button" value="找找看" id="btnZzk" class="btn_my_zzk">
            </div>
            <div id="widget_my_google" class="div_my_zzk">
                <input type="text" name="google_q" id="google_q" onkeydown="return google_go_enter(event);" class="input_my_zzk">&nbsp;<input onclick="google_go()" type="button" value="谷歌搜索" class="btn_my_zzk">
            </div>
        </div>
    </div>
</div>

<!-- 常用链接 -->
<div id="sidebar_shortcut" class="sidebar-block">
    <div class="catListLink">
<h3 class="catListTitle">
常用链接
</h3>
<ul>
		<li>

<a href="https://www.cnblogs.com/r00tuser/p/" title="我的博客的随笔列表">我的随笔</a>
</li>
		<li>

<a href="https://www.cnblogs.com/r00tuser/MyComments.html" title="我的发表过的评论列表">我的评论</a>
</li>
		<li>

<a href="https://www.cnblogs.com/r00tuser/OtherPosts.html" title="我评论过的随笔列表">我的参与</a>
</li>
		<li>

<a href="https://www.cnblogs.com/r00tuser/RecentComments.html" title="我的博客的评论列表">最新评论</a>
</li>
		<li>

<a href="https://www.cnblogs.com/r00tuser/tag/" title="我的博客的标签列表">我的标签</a>
</li>

</ul>
<div id="itemListLin_con" style="display:none;">
<ul>

</ul>
</div>
</div>


</div>

<!-- 最新随笔 -->



<!-- 我的标签 -->
<div id="sidebar_toptags" class="sidebar-block">
    <div class="catListTag">
<h3 class="catListTitle">我的标签</h3>
<ul>

        <li>
            <a href="https://www.cnblogs.com/r00tuser/tag/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/">代码审计</a>(4)
        </li>
        <li>
            <a href="https://www.cnblogs.com/r00tuser/tag/xss/">xss</a>(4)
        </li>
        <li>
            <a href="https://www.cnblogs.com/r00tuser/tag/getshell/">getshell</a>(3)
        </li>
        <li>
            <a href="https://www.cnblogs.com/r00tuser/tag/php%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/">php代码审计</a>(3)
        </li>
        <li>
            <a href="https://www.cnblogs.com/r00tuser/tag/sql%E6%B3%A8%E5%85%A5/">sql注入</a>(3)
        </li>
        <li>
            <a href="https://www.cnblogs.com/r00tuser/tag/java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/">java代码审计</a>(2)
        </li>
        <li>
            <a href="https://www.cnblogs.com/r00tuser/tag/xss%E6%8C%91%E6%88%98/">xss挑战</a>(2)
        </li>
        <li>
            <a href="https://www.cnblogs.com/r00tuser/tag/%E8%BD%AF%E4%BB%B6%E7%A0%94%E7%A9%B6/">软件研究</a>(2)
        </li>
        <li>
            <a href="https://www.cnblogs.com/r00tuser/tag/%E5%AE%A1%E8%AE%A1%E6%80%BB%E7%BB%93/">审计总结</a>(2)
        </li>
        <li>
            <a href="https://www.cnblogs.com/r00tuser/tag/%E8%85%BE%E8%AE%AF%E5%BC%80%E5%8F%91%E8%80%85%E5%AE%9E%E9%AA%8C%E5%AE%A4/">腾讯开发者实验室</a>(2)
        </li>
            <li>
                <a href="https://www.cnblogs.com/r00tuser/tag/">更多</a>
            </li>

</ul>
</div>


</div>

<!-- 积分与排名 -->


<!-- 随笔分类、随笔档案、文章分类、新闻分类、相册、链接 -->
<div id="sidebar_categories">
    
        <div id="sidebar_postcategory" class="catListPostCategory sidebar-block">
            <h3 class="catListTitle">
                

随笔分类



            </h3>


            <ul>

                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1056470.html" rel="" target="">
    ctf(1)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1425797.html" rel="" target="">
    java(1)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1043834.html" rel="" target="">
    mysql(3)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1040831.html" rel="" target="">
    php(4)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1122565.html" rel="" target="">
    php代码审计(15)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1040830.html" rel="" target="">
    python(3)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1040832.html" rel="" target="">
    web安全(18)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1111353.html" rel="" target="">
    漏洞分析(8)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1338593.html" rel="" target="">
    软件研究(2)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1075472.html" rel="" target="">
    渗透测试(5)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1042333.html" rel="" target="">
    杂七杂八(3)
</a>
 

                        </li>

            </ul>


        </div>
        <div id="sidebar_postarchive" class="catListPostArchive sidebar-block">
            <h3 class="catListTitle">
                

随笔档案



            </h3>


            <ul>

                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2019/08.html" rel="" target="">
    2019年8月(3)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2019/07.html" rel="" target="">
    2019年7月(2)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2019/04.html" rel="" target="">
    2019年4月(1)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2019/03.html" rel="" target="">
    2019年3月(2)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2019/02.html" rel="" target="">
    2019年2月(1)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2018/12.html" rel="" target="">
    2018年12月(1)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2018/11.html" rel="" target="">
    2018年11月(4)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2018/09.html" rel="" target="">
    2018年9月(1)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2018/08.html" rel="" target="">
    2018年8月(3)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2018/07.html" rel="" target="">
    2018年7月(1)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2018/05.html" rel="" target="">
    2018年5月(1)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2018/03.html" rel="" target="">
    2018年3月(3)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2018/02.html" rel="" target="">
    2018年2月(3)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2018/01.html" rel="" target="">
    2018年1月(1)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2017/12.html" rel="" target="">
    2017年12月(7)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2017/11.html" rel="" target="">
    2017年11月(2)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2017/09.html" rel="" target="">
    2017年9月(3)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2017/08.html" rel="" target="">
    2017年8月(10)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/archive/2017/07.html" rel="" target="">
    2017年7月(4)
</a>
 

                        </li>

            </ul>


        </div>
        <div id="sidebar_articlecategory" class="catListArticleCategory sidebar-block">
            <h3 class="catListTitle">
                

文章分类



            </h3>


            <ul>

                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1043411.html" rel="" target="">
    php代码审计(3)
</a>
 

                        </li>
                        <li>
                            
<a href="https://www.cnblogs.com/r00tuser/category/1043413.html" rel="" target="">
    渗透测试(3)
</a>
 

                        </li>

            </ul>


        </div>

</div>

<!-- 最新评论 -->
<div id="sidebar_recentcomments" class="sidebar-block">
    <div class="catListComment">
<h3 class="catListTitle">最新评论</h3>

	<div class="RecentCommentBlock">
        <ul>
                    <li class="recent_comment_title"><a href="https://www.cnblogs.com/r00tuser/p/10528864.html#4328166">1. Re:PHP7和PHP5在安全上的区别[更新]</a></li>
                    <li class="recent_comment_body">@ 卡斯帕phpstorm...</li>
                    <li class="recent_comment_author">--水泡泡</li>
                    <li class="recent_comment_title"><a href="https://www.cnblogs.com/r00tuser/p/10528864.html#4328161">2. Re:PHP7和PHP5在安全上的区别[更新]</a></li>
                    <li class="recent_comment_body">师傅好，想问下您的编辑器是什么名字啊，看起来好好用。</li>
                    <li class="recent_comment_author">--卡斯帕</li>
                    <li class="recent_comment_title"><a href="https://www.cnblogs.com/r00tuser/p/11197671.html#4302543">3. Re:记一次渗透某XX站</a></li>
                    <li class="recent_comment_body">@love17 是的，路由那个之前我其实查过，也知道是这么回事。但是现实搞的时候让我怀疑了自己理解的对不对。htaccess与控制器冲突这个理解确实不对了，很感谢你的评论~</li>
                    <li class="recent_comment_author">--水泡泡</li>
                    <li class="recent_comment_title"><a href="https://www.cnblogs.com/r00tuser/p/11197671.html#4302389">4. Re:记一次渗透某XX站</a></li>
                    <li class="recent_comment_body">膜，每次看泡泡师傅的文章都能学习到一种思想和新知识。讨论：.htaccess与控制器重名，是不影响的，因为.htaccess作用在最开始。当url满足： RewriteCond %{REQUEST_F...</li>
                    <li class="recent_comment_author">--love17</li>
                    <li class="recent_comment_title"><a href="https://www.cnblogs.com/r00tuser/p/11152762.html#4302309">5. Re:记一次对微信引流网站的简单渗透测试</a></li>
                    <li class="recent_comment_body">@ 木木森森森exp 没法放的，你找一下吧...</li>
                    <li class="recent_comment_author">--水泡泡</li>
        </ul>
    </div>
</div>


</div>



<!-- 阅读排行榜 -->
<div id="sidebar_topviewedposts" class="sidebar-block">
    <div class="catListView">
<h3 class="catListTitle">阅读排行榜</h3>
	<div id="TopViewPostsBlock">
        <ul style="word-break:break-all">
                    <li>
                        <a href="https://www.cnblogs.com/r00tuser/p/7255939.html">
                            1. xxe漏洞的学习与利用总结(33739)
                        </a>
                    </li>
                    <li>
                        <a href="https://www.cnblogs.com/r00tuser/p/7515136.html">
                            2. 简单认识python cmd模块(14157)
                        </a>
                    </li>
                    <li>
                        <a href="https://www.cnblogs.com/r00tuser/p/7407459.html">
                            3. 某xss挑战赛闯关笔记(9187)
                        </a>
                    </li>
                    <li>
                        <a href="https://www.cnblogs.com/r00tuser/p/7444139.html">
                            4. 骗子网站，X毛都没有，骗我九十九(8160)
                        </a>
                    </li>
                    <li>
                        <a href="https://www.cnblogs.com/r00tuser/p/7252796.html">
                            5. sqlmap tamper的使用(5845)
                        </a>
                    </li>
        </ul>
    </div>
</div>


</div>

<!-- 评论排行榜 -->
<div id="sidebar_topcommentedposts" class="sidebar-block">
    <div class="catListFeedback">
<h3 class="catListTitle">评论排行榜</h3>
	<div id="TopFeedbackPostsBlock">
        <ul style="word-break:break-all">
                    <li>
                        <a href="https://www.cnblogs.com/r00tuser/p/9405870.html">
                            1. [代码审计]eyoucms前台未授权任意文件上传(3)
                        </a>
                    </li>
                    <li>
                        <a href="https://www.cnblogs.com/r00tuser/p/7515136.html">
                            2. 简单认识python cmd模块(2)
                        </a>
                    </li>
                    <li>
                        <a href="https://www.cnblogs.com/r00tuser/p/8044025.html">
                            3. [代码审计]青云客Cms前台有条件注入至getshell，后台xss至getshell、至弹你一脸计算器(2)
                        </a>
                    </li>
                    <li>
                        <a href="https://www.cnblogs.com/r00tuser/p/11197671.html">
                            4. 记一次渗透某XX站(2)
                        </a>
                    </li>
                    <li>
                        <a href="https://www.cnblogs.com/r00tuser/p/11152762.html">
                            5. 记一次对微信引流网站的简单渗透测试(2)
                        </a>
                    </li>
        </ul>
    </div>
</div>


</div>

<!-- 推荐排行榜 -->
<div id="sidebar_topdiggedposts" class="sidebar-block">
    
<div id="topdigg_posts_wrap">
    <div class="catListView">
        <h3 class="catListTitle">推荐排行榜</h3>
        <div id="TopDiggPostsBlock">
            <ul style="word-break: break-all">
                        <li>
                            <a href="https://www.cnblogs.com/r00tuser/p/7569942.html">
                                1. Tomcat代码执行漏洞(CVE-2017-12615)的演绎及个人bypass(1)
                            </a>
                        </li>
                        <li>
                            <a href="https://www.cnblogs.com/r00tuser/p/7413526.html">
                                2. XSS Challenges闯关笔记(1)
                            </a>
                        </li>
                        <li>
                            <a href="https://www.cnblogs.com/r00tuser/p/7411265.html">
                                3. php代码审计一些笔记(1)
                            </a>
                        </li>
                        <li>
                            <a href="https://www.cnblogs.com/r00tuser/p/8659090.html">
                                4. RPO漏洞学习(1)
                            </a>
                        </li>
                        <li>
                            <a href="https://www.cnblogs.com/r00tuser/p/11312212.html">
                                5. 记一次bypass某场景GD库及拓展分析(1)
                            </a>
                        </li>
            </ul>
        </div>
    </div>
</div>
</div></div>
                    <script>loadBlogSideColumn();</script>
			</div>
			
		</div><!--end: sideBarMain -->
	</div><!--end: sideBar 侧边栏容器 -->
	<div class="clear"></div>
	</div><!--end: main -->
	<div class="clear"></div>
	<div id="footer">
		<!--done-->
Copyright © 2019 水泡泡
<br><span id="poweredby">Powered by .NET Core 3.0.0-preview9-19423-09 on Linux</span>



	</div><!--end: footer -->
</div><!--end: home 自定义的最大容器 -->


    


</body></html>